We’re about to blow your mind, so make sure you’re buckled in. Are you ready? Are you ready to have your world rocked and turned upside down? If you have plugins installed on your WordPress site, make sure to update them. I know, it’s mind numbing, right? Apparently, not everyone updates their various programs, plugins, and themes as often as they can and, as a result, their sites can be at risk.
PC Mag was one of the mainstream news outlets to tackle the case of the out-of-date WordPress plugin, identifying five plugins that you absolutely must update right now. And when we say now, we mean stop reading this article, update the plugin, and then come back to our site. Wash, rinse, repeat.
The first was MailPoet, which is suffering from a “remote file upload” flaw. As one security expert told PC Mag, “This bug should be taken seriously; it gives a potential intruder the power to do anything he wants on his victim’s website. It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending spam, hosting malware, infecting other customers (on a shared server), and so on!” That does not sound like a plugin that should remain vulnerable.
As we saw recently, TimThumb suffered from a vulnerability that, according to our original article on the topic, “leaves many websites vulnerable to exploits that allow unauthorized attackers to execute malicious code.” The critical issue, the WebShot function, is turned off by default, so the problem might not be extremely critical. However, if you use TimThumb, now is the time to update it.
About six weeks ago, an issue cropped up with All In One SEO Pack that allowed hackers to change the SEO functions of a website, which could leave you in hot water going forward. There were also issues associated with All In One SEO Pack surrounding Java code and passwords. According to PC Mag, the most recent version of All In One SEO Pack is 2.1.6, so make sure to upgrade to that.
PC Mag also highlighted a recent issue with the Login Rebuilder plugin. The news site explained that the flaw “would allow attackers to hijack the authentication of arbitrary users. Essentially, if a user viewed a malicious page while logged into the WordPress site, attackers would be able to hijack the session. The attack, which didn’t require authentication, could result in unauthorized disclosure of information, modification, and disruption of the site.” Version 1.2.3 appears to be the most recent rollout available.
Finally, PC Mag pointed out an issue with the JW Player plugin. The video-oriented plugin could be your downfall if it’s not updated as, according to the site, “Attackers would be able to remotely hijack the authentication of administrators tricked into visiting a malicious site and remove the video players from the site.” PC Mag recommended upgrading to Version 2.1.4.
How should you protect yourself from these malicious streams of vulnerabilities? It’s simple: update your plugins and update your themes. Also, PC Mag and other sites we perused stressed the importance of checking through various directories and looking for files that are out of place. Rather than just assume everything on your computer and on your site is running as normal, take some time to poke around and make sure every file and every plugin seems to be in order. You’ll be happy you did.
Rest assured that if we find any more security issues related to WordPress, we’ll keep you posted here on ThemeSquirrel.